The Payment Card Industry Security Standards Council wants to recruit more security professionals to help fight fraud and cybercrooks. A program announced Thursday allows any individual with a security background or interest in payments security to become a certified PCI Professional.
The PCIP program, which includes web-based training and an exam, represents the council's first offering geared toward individuals not necessarily associated with a business or organization, says Bob Russo, the PCI council's general manager. The web-based training will be available Nov. 1 on the council's website.
"We're looking at it as a really good addition to our training," Russo says. "More education means better security."
Previously, completing PCI payments security training would allow a security technician to certify as an Internal Security Assessor tied to a specific company, or a Qualified Security Assessor capable of reviewing and certifying a merchant payment system as compliant, Russo says.
"Now, anybody can obtain this new certification and become well-versed in PCI standards and put it on their business card that they are trained in payments security," Russo says.
The council created the PCIP program, which targets individuals with at least two years of information technology experience, after receiving feedback from PCI's participating organizations, he adds.
"They kept asking why individuals couldn't receive the training, so that more IT professionals and others could have this expertise," Russo says.
An individual completing the PCIP training "could not peddle himself as a Qualified Security Assessor" because a QSA must have support from a business or organization and satisfy insurance requirements, Russo says.
Otherwise, a PCIP-trained technician could capably serve as an independent contractor helping a merchant understand compliance standards, or operate as a payments security staffer at an organization, Russo adds.
"They wouldn't qualify as someone who could certify my payments system as compliant, but they would qualify as someone who could help me remediate some issues if I were a merchant looking for help," Russo says.
Persons interested in security technology will likely embrace the opportunity to develop more skills through training, says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.
McNelley agrees that more education equates to better security, but she hopes to see PCI develop security awareness training for merchants, and make it a requirement for PCI compliance.
"It's probably most needed at the merchant level because they need to understand the security aspects of their systems," McNelley says. "Too many merchants view PCI as a necessary evil and just a box to check off [that their system is compliant]."
For now, the council encourages merchants to take advantage of the PCIP training by having their IT employees participate to build PCI compliance expertise internally at businesses.
Currently, PCI has certified nearly 1,100 Internal Security Assessors and more than 1,700 Qualified Security Assessors operating out of more than 250 active QSA companies, according to council figures.
The PCI council plans to eventually increase those numbers with PCIP as a foundation and potential stepping stone to further security education, Russo says. In addition, the council will list those with PCIP certification in a global directory on the PCI website.
Candidates seeking the PCIP certification have 30 days to complete the training module prior to scheduling the written exam at one of more than 4,000 Pearson VUE Testing Centers worldwide. Those who believe they have a solid background and can complete program requirements can skip the training and only take the exam, Russo says.
The council outlines the training requirements and costs, which vary for participating organizations and those not affiliated with PCI, on its website.